Tue, Nov 5, 2024

About

I’m Khürt Williams, Principal Consultant of Monkey Hill, LLC, an information security consultancy in Princeton, NJ. With over 26 years in IT—including 20 years in information security—I’ve specialised in consulting since 2013, focusing on security architecture and security design to address business needs, mitigate risks, and implement effective security controls. My background also includes multimedia R&D, systems integration, and full-stack web application development.

• Industry Experience: 29+ years across Research & Development, Financial Services, Government, Pharmaceutical, and Publishing.
• Technical Expertise: 26+ years in web app development, server administration (web, database, OS), and system integration.
• Security Specialisation: 20+ years in information security covering vulnerability analysis, patch management, log management, security governance, security architecture, and IAM.

I hold multiple professional certifications in security and IT, including:

• Certified Information Systems Security Professional (CISSP)
• Certified Cloud Security Professional (CCSP)
• AWS Certified Cloud Security Professional
• Certified in Risk and Information Systems Control (CRISC)
• ITILv3 Certified Professional

I’m available for both quick consultations and long-term engagements.

---

Contact

I’d love to hear from you! Reach out via:

• Email: khurt@monkeyhill.llc
• Phone: 609-865-3380
• LinkedIn: Khürt Williams
• Clarity.fm: Schedule a Call for expert advice and consulting.

To discuss a project or book time on my calendar, Schedule a Meeting.

I look forward to connecting with you!

---

Education

• Master of Science in Engineering, Electrical and Computer Engineering
  University of Michigan, Ann Arbor, Michigan

• Bachelor of Engineering, Electrical Engineering
  Georgia Institute of Technology, Atlanta, Georgia

• Bachelor of Arts, Physics
  Drew University, Madison, New Jersey

---

Certifications

• Certified Cloud Security Professional (CCSP)
• Certified Information Systems Security Professional (CISSP)
• AWS Certified Cloud Practitioner
• ITILv3 Foundation Certified (ITIL)
• Certified in Risk and Information Systems Control (CRISC)

---

Experience

TEKSystem, New York – January 2024 to Present

Security Architect
Client: M&T Bank, Buffalo, New York

• Conducted comprehensive technical security assessments for cloud-based and on-premises systems, identifying design flaws and control gaps.
• Reviewed security architecture diagrams and technical security controls to identify control gaps.
• Performed threat modelling exercises using a modified STRIDE technique to prioritise potential security risks based on impact and likelihood.
• Developed detailed security consultation documents with actionable recommendations to address identified vulnerabilities and improve application security.
• Collaborated closely with application security and infrastructure teams to implement security recommendations and improve overall system security posture.
• Ensured alignment of application security controls with regulatory frameworks including PCI DSS, SOC 2, and FFIEC, contributing to M&T Bank’s compliance efforts and protection of sensitive customer data.

ConsultNet, New York, New York – October 2023 to January 2024

Senior Security Architect
Client: S&P Global Dow Jones Indices, New York, New York

• Conducted comprehensive technical security assessments for cloud-based and on-premises systems, identifying design flaws and control gaps.
• Reviewed security architecture diagrams and technical security controls to identify control gaps.
• Performed threat modelling exercises using a modified STRIDE technique to prioritise potential security risks based on impact and likelihood.
• Developed detailed security consultation documents with actionable recommendations to address identified vulnerabilities and improve application security.
• Ensured alignment of application security controls with regulatory frameworks including PCI DSS, SOC 2, and FFIEC, contributing to M&T Bank’s compliance efforts and protection of sensitive customer data.

Monkey Hill, LLC, Princeton, New Jersey – May 2013 to October 2023

Senior Security Architect/Security Specialist

Client: Santander Holdings USA, Boston, Massachusetts

• Led a remote team of security architects across the USA and Mexico, overseeing comprehensive security assessments for on-premise and cloud-based applications.
• Utilised a modified STRIDE threat modelling technique, web-based diagramming applications, and sequence diagrams to evaluate potential risks to information assets, applications, and infrastructure.
• Conducted thorough analyses of application security architectures, considering a broad spectrum of internal and external factors.
• Collaborated in developing and implementing security frameworks, policies, and procedures aligned with industry best practices and regulatory requirements.
• Collaborated in mapping a security framework to internal standards and led the build-out of web pages to assist application teams in understanding and implementing security measures.
• Ensured compliance with standards such as PCI DSS, FFIEC, SOX, FINRA, NYDFS, and GDPR by integrating regulatory requirements into security strategies.
• Worked closely with cross-functional teams, including IT, BISO, Risk Management, Enterprise Architecture, and executive management, providing comprehensive security consultation and guidance.
• Spearheaded the continuous improvement of the information security architecture review process, enhancing efficiency and effectiveness.
• Collaborated with application security and infrastructure teams to implement security recommendations and improve overall system security posture.

Client: CLS Group, New York, New York

• Using industry standards such as NIST CSF, COBIT, and CIS Critical Security Controls, collaborated with peers to develop and implement security frameworks to protect financial platforms, systems, and data.
• Identified and assessed potential threats in application and system architectures, helping teams mitigate risks through secure design and controls.
• Worked with development, operations, and DevSecOps teams to integrate security into the development lifecycle.
• Evaluated third-party services and solutions, ensuring they met the company’s security requirements.
• Ensured applications and systems had strict adherence to regulatory requirements, guaranteeing compliance with industry standards (NYDFS, FFIEC).
• Reviewed architecture diagrams and vendor documentation, including SOC 2 Type 2 and ISO 27001.
• Engaged with stakeholders in Project Management, Application Development, Compliance and Audit, Business Analyst, Quality Assurance (QA), IT Engineering, and Enterprise Architecture teams to facilitate seamless project execution.

Client: State of New Jersey, Trenton, New Jersey

• Led a project to re-design and implement a PCI DSS-compliant online payment application security architecture.
• Documented and analysed the flow of cardholder data across networks, applications, and systems.
• Developed standards and procedures for vulnerability and patch management.
• Developed security controls that meet PCI DSS requirements, such as encryption, tokenisation, network segmentation, and access control mechanisms to limit data exposure.
• Conducted security risk assessments to identify vulnerabilities in the payment processing infrastructure.
• Provided guidance during PCI DSS audits to ensure compliance with all 12 PCI DSS requirements.
• Collaborated with cross-functional teams to integrate PCI DSS requirements into organisational processes and technology projects.
• Regularly presented project security status and recommendations to executive management.
• Advised stakeholders and senior leadership on PCI DSS compliance strategies, emerging threats, and potential impacts on business operations.
• Oversaw continued compliance with all PCI DSS requirements, including conducting regular self-assessments, vulnerability scans, and managing external audits (e.g., ROC - Report on Compliance).
• Led security risk assessments specific to payment systems, identifying potential vulnerabilities, and implementing mitigation strategies to reduce the risk of data breaches or non-compliance.
• Developed an incident response plan and guided post-incident reviews.
• Conducted regular training sessions for employees on PCI DSS compliance, secure handling of cardholder data, and overall security best practices to maintain a culture of security awareness.
• Developed and maintained PCI DSS-specific policies, procedures, standards, and documentation, ensuring all controls and processes were properly documented and up to date with the latest PCI DSS version.
• Served as the primary point of contact for PCI DSS assessors (QSA) during compliance audits, ensuring timely communication and issue resolution.

Accomplishments

• Guided the organisation through four successful PCI DSS audits.

Bristol Myers-Squibb, Princeton, New Jersey – April 2003 to May 2013

Senior Security Advisor

• Provided strategic security advisory and contributed to developing enterprise security policies, standards, and guidelines in alignment with regulatory frameworks like HIPAA, SOX, and FDA CFR Part 11.
• Collaborated with internal teams to lead risk assessments and develop mitigation strategies, ensuring compliance with industry standards (e.g., ISO 27001, NIST) and secure handling of sensitive data like intellectual property and clinical research data.
• Collaborated with infrastructure teams to design and implement security controls for network, system, and application layers, working together on secure configurations of firewalls, intrusion detection/prevention systems (IDS/IPS), and encryption tools.
• Collaborated with cross-functional teams to design and execute the incident response plan, facilitated log collection for forensic investigations, and worked with external teams to mitigate security breaches.
• Managed log data collection and analysis to ensure comprehensive security event monitoring, enhancing threat detection and compliance reporting.
• Conducted regular vulnerability scanning for critical systems and applications, ensuring the organisation was protected from known security threats.
• Evaluated and tested new security tools, technologies, and software, advising on their implementation and integration within the company’s existing infrastructure.
• Managed the configuration and maintenance of web proxy systems to enforce secure browsing policies and protect the organisation from malicious web-based threats.

Accomplishments

• A custom vulnerability scanning tool using NMAP, Nessus, Perl, CGI, LDAP, PostgreSQL, and JavaScript, streamlining patch prioritisation and improving overall security.
• Developed a Configuration Management Database (CMDB) compliance application for rapid data classification, aiding in efficient security risk assessments.
• Conducted training sessions on social media risks, increasing corporate awareness and reinforcing security practices related to social media usage.
• Spearheaded the deployment of an enterprise Security Information and Event Management (SIEM) system, strengthening the organisation’s threat detection and incident response capabilities.
• Enhanced system and application vulnerability scanning processes, ensuring timely identification and remediation of potential threats.

---

Skills

• Security Architecture & Governance: Strategic security design, policy creation, governance, and compliance with industry standards (ISO 27001, NIST, PCI DSS). Skilled in Application Security Architecture, Security Architecture Design, IT Security Assessments, Vulnerability Assessment, and Threat Modelling.

• Risk & Threat Management: Comprehensive threat modelling, risk assessment, compliance frameworks (ISO/IEC 27001, NIST CSF, PCI DSS, CIS Controls), vulnerability management, and tools like IriusRisk.

• Identity & Access Management (IAM): Proficient in managing and securing identity and access protocols across cloud and on-premises environments.

• Data Security & Privacy Training: Data protection, privacy regulations, vulnerability scanning, patch management, and security awareness training.

• Cloud & Technical Skills: Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), Security Services Edge (SSE), IDS, Web Proxy, AWS (IAM, RDS, EC2, S3), Software Development Life Cycle (SDLC), and cloud-native architecture (IaaS, PaaS, SaaS). Skilled in Bash, C, JavaScript, Perl, PHP, Python, SQL, macOS, UNIX, Linux, SAML, OAuth, SafeNet HSM.

• Technical & Cybersecurity Tools: Nessus, Wireshark, OWASP Top 10, sed, AWK, grep, nmap, snort, metasploit, OpenVAS, Log Management.

• Leadership & Professional Skills: Experienced in project management, strategy, team leadership, technical writing, and process improvement, with strong public speaking abilities.